This week saw some critical cumulative updates for Exchange 2016 and Exchange 2019. These new updates contain the security patches previously released on March 2nd. Organizations that apply these cumulative updates don’t need to install the previous security patch.
The exception to this is those organizations on Exchange 2010 or Exchange 2013, where no update has superseded the March 2nd security patch. Those on Exchange 2010 and 2013 must ensure that they have the March 2nd patch applied as soon as possible.
The updates are as follows:

Exchange 2019 Cumulative Update 9 | KB4602570

Exchange 2016 Cumulative Update 20 | KB4602569 | UM Language Pack

Exchange 2013 Security Update | KB5000871 (March 2nd Security Patch)

Exchange 2010 SP3 Rollup 32 | KB5000978 (March 2nd Security Patch)
Tackling the March 2nd security exploits
It is imperative to protect yourself from the exploits published on March 2nd. HAFNIUM, a cyberespionage group with ties to the Chinese government, has leveraged these Exchange Server exploits to infiltrate victims’ networks to deliver malware and other malicious payloads with varying motives, primarily to exfiltrate confidential data.
First, patching is imperative.
- Those on Exchange 2016 or 2019 should apply the latest cumulative update.
- Those on Exchange 2013 will need to install Cumulative Update 23 (released June 2019), followed by the March 2nd, 2021 security patch.
- Those on Exchange 2010 need to install rollup 32.
Note: On March 8th Microsoft updated the security patch allowing it to be installed on older cumulative updates. This aided organizations that could not yet upgrade to the latest cumulative update. Note that applying the security patch and then upgrading to an older CU (rather than the latest) will expose your organization to the exploits again.
Once you are fully patched, I recommend running the Microsoft Safety Scanner (also known as the Microsoft Emergency Response Tool), which detects and remediates all known malware. This is a self-executing program that can be downloaded here.
I recommend running a full system scan. Note that it takes a few hours to run a scan, and it may spike your CPU, so it’s best to do this during a maintenance window. If you have a database availability group, consider putting the server into maintenance mode so that you can run the scanner with zero user impact.
[Read more…] about Exchange Server Cumulative Updates (March 2021)